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The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )□ Responsive to communication(s) filed on . 

2a)EJ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 
Disposition of Claims 

4) ^1 Claim(s) 1-38 is/are pending in the application. ^ 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-38 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) ^3 The drawing(s) filed on 05 August 1999 is/are: a)^ accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

1 1) D The proposed drawing correction filed on is: a)D approved b)D disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 
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1 3) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 

a)DAII b)D Some*c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2.D Certified copies of the priority documents have been received in Application No. . 

3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 119(e) (to a provisional application). 
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DETAILED ACTION 



1. This action is responsive to communications: application, filed 8/05/99; amendment filed 
6/23/03. 

2. Claims 1-38 are pending in the case. Claims 1, 7, 24, 28, and 36 are independent claims. 



3. Applicant argues that "The [previous] Office Action assumes that an integrated certificat 
of the Saito reference is 'credential types' as required by Applicant's independent claims. The 
integrated certificate described in the Saito reference is a specific digital certificate that 
corresponds to a particular user and is not the same as 'credential types.' An integrated 
certificate may be an instance of one type of credential, but it is not 'credential types.'" 
Saito however also discloses that authentication is also performed using a user ID and password 
(Saito: Abstract) and IC card (Saito: column 16, line 61). Each of these methods is a credential 
type. Since the application server performs user authentication for the user on the basis of the 
combination of the user ID and the password or certificate (Saito: Abstract) this meets the 
limitation of "credential types." 

Applicant argues that "trust-levels" are not the same as access levels. Applicant argues 
that "'trust-levels' encode access requirements for information resources for which a given 
credential type may be sufficient to establish appropriate authority." The access levels are 
requirements that need to be met in order to access a document. Applicant also argues that there 
is no correspondence between credential types and trust levels. Depending on the users 
credentials they are given an access level with which they can access certain documents (Saito: 



Response to Amendment 
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column 6, lines 44-58). This meets the limitations then of trust levels being associated with 
credential types. 



In view of the rejections and response to arguments above, the prior art rejections are 
maintained. The grounds of rejection as set forth in the previous office action is reproduced 
below. 



DETAILED ACTION 
Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who has 
fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention thereof by the 
applicant for patent. 



5. The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIP A) do not apply to the examination of this application as the application being examined 
was not (1) filed on or after November 29, 2000, or (2) voluntarily published under 35 U.S.C. 
122(b). Therefore, this application is examined under 35 U.S.C. 102(e) prior to the amendment 
by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 

(e) the invention was described in- 

(1) an application for patent, published under section 122(b), by another filed in the United States before the 
invention by the applicant for patent, except that an international application filed under the treaty defined in section 
35 1(a) shall have the effect under this subsection of a national application published under section 122(b) only if the 
international application designating the United States was published under Article 21(2)(a) of such treaty in the English 
language; or 
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(2) a patent granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that a patent shall not be deemed filed in the United States for the purposes of this subsection 
based on the filing of an international application filed under the treaty defined in section 351(a). 

6. Claims 1-14, 17-25, 27-38, are rejected under 35 U.S.C. 102(e) as being anticipated by 
U.S. Patent No. 6,275,941 Bl to Saito et al. 

In regards to claim 1-6, and 8, Saito discloses a plurality of application servers. This 
meets the limitation of "information resources distributed amongst and executable on one or 
more servers, and a gatekeeper interposed between the client entity and the information 
resources." Saito also discloses an integrated authentication server, which meets the limitation 
of "a credential gathering service common to the plural information resources." When the client 
make a service request by transmitting information of an integrated certificate to the application 
server. The integrated certificate meets the limitation of "login credential for the client entity in 
accordance with a mapping rule establishing a correspondence between the sufficient trust level 
and a set of suitable credential types." The application server transfers the information of the 
integrated certificate to the integrated authentication server to request the integrated 
authentication server to confirm the integrated certificate (Saito: column 2, lines 2-8) thus 
realizing single sign-on. For a use who has no integrated certificate, one is issued through the 
conventional log-in effected by inputting a user ID and a password and thereafter, each time that 
the service process shifts from one to another, the client transmits the integrated certificate to a 
particular application server, thereby permitting single sign-on (Saito: column 5, lines 51-56). 
This meets the limitation of "a first request for access to a first of the plural information 
resources without prior authentication to a sufficient trust level, the gatekeeper redirects the first 
request to the common credential gathering service and the common credential gathering service 
obtains a login credential." After storing the received integrated certificated in the storage unit, 
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the client makes a request for accessing a document held by the application server. Each time 
the application server receives a request the application server decides, on the basis of the access 
control information, whether the access to the document is permissible (Saito: column 9, lines 
31-44). This meets the limitation of "wherein a receipt of a second request for access to a second 
of the plural information resources, the second request is serviced without redirection to the 
credential gathering service, the second resource having a trust level requirement no greater than 
that of the first information resource." 

In regards to claims 7, 9, 11, 13-14, 17-25, and 28-38, Saito discloses the definition of a 
document is comprised of the document's access control information. The document's access 
control information includes a security policy which is responsible for setting an access level of a 
user who is permitted to access the document (Saito: column 6, lines 3-27). This meets the 
limitation of "means for associating a trust level requirement with the access request." Access 
control information must be set also for a user who attempts to access a specified document. Set 
in the access control information of the user is an access level. By setting the access level it is 
possible for users who are of a higher level than a certain title to be permitted to access a 
specified document (Saito: column 6, lines 44-58). When the user attempts to access the 
application server, the integrated certificate of the user is sent to the integrated authentication 
server. The integrated authentication server decodes the contents of the ciphered integrated 
certificate. The integrated authentication server then confirms the integrated certificate as valid 
and an inquiry is sent to the server to obtain the user's security information. This meets the 
limitation of "an encoding correspondence between trust levels and credential types." The 
integrated authentication server then compares an access level of the user with that of the 
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application server and if access is permitted transmits the access control information, which 
includes the access level, to the application server. This meets the limitation of "selection logic 
for selecting in accordance with the encoding, a credential type corresponding to the trust level 
requirement; and a credential obtaining interface for requesting and receiving a credential of the 
selected credential type for the initiating client entity." Each time the client requests access for a 
document it is decided based on the access level of the user and the title of the document whether 
the access is permissible (Saito: column 7, lines 1 1-67). The integrated authentication server 
meets the limitation of a proxy server. Saito discloses in Figure 1 the client, integrated 
authentication server, and application server connected to an enterprise network system. This 
meets the limitation of "wherein the machine readable medium is selected from the set of a disk, 
tape, or other magnetic, optical, or electronic storage medium and a network, wired, wireless, or 
other communications medium." 

In regards to claim 10, 12, and 27, Saito discloses the user selects the application server 
from the service menu and inputs information of an integrated certificate from and IC card 
(Saito: column 16, line 61). 

Claim Rejections - 35 USC § 103 
7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action; 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that 
the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 
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8. Claim 1 5 and 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 6,275,941 to Saito as applied to claims above 1-14, 17-25, 27-38, and further in view 
of U.S. Patent No. 5,610,981 to Mooney et al. 

Saito does not disclose the trust level requirement being supplied by the client. 

Mooney discloses a card, which is used with a card reader, which contains the user access 
privilege level (Mooney: column 8, lines 20-32). 

It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to combine the IC card reader of Saito with the method of controlling access 
via a card reader of Mooney. One having ordinary skill in the art at the time the invention was 
made would have been motivated to combine the IC card reader of Saito with the method of 
controlling access via a card reader of Mooney in order to control access to sensitive information 
on a computer without compromising the security of sensitive data (Mooney: column 2, lines 25- 
26). 

9. Claim 26 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. Patent No. 
6,275,941 to Saito as applied to claims above 1-14, 17-25, 27-38, and further in view of 
International Patent No. WO 98/25373 to Glogau. 

Saito does not disclose obtaining an additional credential if the trust level is greater than 
that of the trust level of the authenticated. 

Glogau discloses a user attempting to access protected web site components is directed to 
obtain a license. The user is administered a test and upon passing issued a license that allows the 
user access to the protected web site components. If the user does not obtain a license the user is 
only permitted access to the unprotected web site components (Glogau: Abstract). 
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It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to combine the method of allowing access by use of certificates of Saito 
with the method of obtaining and additional certificate of Glogau. One having ordinary skill in 
the art at the time the invention was made would have been motivated to combine method of 
allowing access by use of certificates of Saito with the method of obtaining and additional 
certificate of Glogau in order to protect web sites and other works in computer readable form 
from unauthorized access and/or reproduction (Glogau: Abstract). 



Conclusion 

10. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 . 1 36(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Cas Stulberger whose telephone number is (703) 305-8034. The 
examiner can normally be reached on Monday - Thursday, 9:00A.M. - 5:00P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (703) 305-1 830. The fax phone number for the 
organization where this application or proceeding is assigned is (703) 872-9306. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 305-3900. 
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September 4, 2003 
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